Authored by Adam Govier, Security Consultant, SureCloud
In our post, ‘Antivirus Advice: Scoping an enterprise AV solution,’ we looked at the minimum feature set we’d recommend organisations look for in an antivirus solution. Here, we will dive into best practices when configuring AV solutions.
Regardless of the product’s effectiveness, remember that an AV solution should only form part of your overall security control set. Even with the best possible antivirus configuration, there are still several ways attackers can bypass the AV.
However, a best-practice AV configuration is strongly recommended as part of an in-depth defense approach. Here is SureCloud’s recommended checklist for configuring your chosen solution.
Checklist for Antivirus Configuration
- Deploy Tamper Protection using a strong, complex password. If using user credentials (for example, a Domain User account), configure the password to be long and complex, and ensure that the principle of Least Privilege is followed. This password should not be used for any other system or service.
- Limit the number of exclusions per deployment policy, and be precise with file paths. Avoid using wildcards unless absolutely necessary (for example, with a database directory). In addition, too many exclusions will likely cause performance issues with the AV software. Use file hash values where possible when configuring exclusion policies.
- Deploy individual policies per server or, at the very least, per server role. (For example, Domain Controllers should have their own policy, as should MS SQL Database Servers).
- Enable on-access (or real-time) scanning, also ensuring that heuristic scanning is enabled.
- Run a full system scan regularly; don’t simply rely on the ‘on-access’ scanning. This full system scan should also include ‘on-access’ excluded locations. Exclusions are often used by attackers (or penetration testers) as drop-points.
- If possible, enable alerting for any detections from scanning and create email groups to notify Support Desk and Security Teams. Some products allow alerts based on whether a system is infected once, re-infected, or if an outbreak occurs.
- Configure AV logging with appropriate alerting to the IT team. For example, should the AV be disabled or a virus detected, then a follow-up process should start as soon as possible.
- Keeping AV definitions fully up to date is critical. Apply the latest definitions and signatures as soon as possible after release from the AV vendor. Test updates to the AV engine itself before full deployment in case any compatibility issues arise.
- Restrict USB and other storage media access if the endpoint software has that functionality. Prevent ‘write’ permissions to reduce the risk of data loss and restrict any ‘read’ permissions. This will prevent external data or files, which could harbour malware, from being brought into the internal network.
- Configuring different policies for mobile devices (laptops/tablets/etc) based on location can ensure that a stricter environment is enforced when the user and their device are out of the office. It’s recommended that you increase the scheduled scans so that quick scans are performed every two hours, with at least one full scan per day if an ‘external’ or ‘out-of-office’ policy is in use. Completely restricting USB and external media access is also advised.
- Where possible, use different AV solutions throughout the network to increase your chances of detecting and infection early. For example, use a different product on your servers and workstations. Again, consider a different product for email filtering and/or other network entry points.
Antivirus software, much like other products and services, is used more effectively in a defense in-depth approach to security. Due to variances in technology, there will unlikely be a single AV product that can prevent everything, especially due to the techniques that exist for AV evasion.
You can analyse any suspicious files, domains, IPs, and URLs over at virustotal.com.
Cybersecurity Risk Management with SureCloud
SureCloud offers a set of Cybersecurity testing services, enabling you to identify your networks’ weaknesses and find solutions. To find out more information, take a look at Penetration Testing and Cyber Risk Management more broadly.